TRENTON— Bad news for anyone in New Jersey who might have used McDonad’s AI Chat Bot to apply for a job. Hackers have exposed your information due to a simple password used by the bot’s API interface.
A major security lapse in McDonald’s job application system has potentially exposed the personal information of more than 64 million prospective employees, according to a report highlighting two critical vulnerabilities in the platform.
McHire, the recruitment chatbot platform used by 90% of McDonald’s franchisees, is powered by Olivia, a virtual assistant developed by Paradox.ai. The system collects applicant data including personal details, shift preferences, and responses to personality assessments.
Security researchers conducting a brief review of the platform said they discovered that the McHire admin interface could be accessed using default login credentials — 123456:123456. Once inside, an insecure direct object reference (IDOR) flaw in an internal API allowed access to any applicant’s chats and contact information.
The combination of these two issues enabled users with any McHire account to view private data across the system. “Together they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants,” the researchers stated.
Complaints about McHire’s chatbot had surfaced in online forums such as Reddit, where users described Olivia giving nonsensical responses, prompting the closer review that led to the discovery.
McDonald’s and Paradox.ai have not yet publicly addressed the reported security issues.